Analysis
Splunk is a big data analytics tool where it gathers data from multiple sources, then indexes the obtained data and makes it easier to search, visualize and analyze the data, On June 14th, Splunk released Splunk enterprise version 9.0, where the previous version of Splunk enterprise is found with an arbitrary code execution vulnerability.
Clients were able to deploy forwarder bundles to other deployment clients via the deployment server, in versions of the Splunk Enterprise deployment server that came before version 9.0. In the event that a Universal Forwarder endpoint is compromised by an attacker, they can exploit the vulnerability to run arbitrary code on all other Universal Forwarder endpoints that are subscribed to the deployment server.
The vulnerability is classified as critical with a base score of 10 as per NIST based on CVSS 3.1, and the vulnerability is listed as CVE-2022-32158 in the common vulnerability database.
Prevention
As a prevention from this vulnerability, Splunk has advised upgrading the Splunk enterprise version to 9.0 or greater and stated that Splunk is working on patches for the previous versions.
References
CVE- The MITRE Corporation
NIST- National Institute of Standards and Technology
